search

oxen-io / session-desktop

Session Desktop - Onion routing based messenger
https://getsession.org
GNU General Public License v3.0
1.44k stars 187 forks source link

[BUG] webp and CVE-2023-4863 #2922

Closed Jigsy1 closed 10 months ago

Jigsy1 commented 10 months ago

Code of conduct

Self-training on how to write a bug report

Is there an existing issue for this?

Current Behavior

Although I can't personally use any newer versions of Session since I'm on Windows 8.1, isn't every single version of Session now going to be impacted by that webp exploit (CVE-2023-4863) that's been reported and fixed in certain applications over the last few days?

Especially as the webp library is also part of Electron, Signal (which they've fixed), and other things...

Personally I think this needs to be clarified.

Expected Behavior

N/A

Steps To Reproduce

Unknown

Desktop Version

I was using the last version that worked with Windows 8.1 (since Uninstalled)

Anything else?

No response

Bilb commented 10 months ago

Hey, thanks for the report. I made a PR with a fix. I suspect we are impacted as Signal, and Signal did not say how they are impacted yet.